Never mind the DPA, here's the GDPR (General Data Protection Regulation)
When the UK’s Data Protection Act came into force in 1998, the term ‘Data Protection’ entered our vocabulary as a representation of the legal rights individuals have over their personal data. Far fewer people understood the ins and outs, but the concept of data protection entered mass consciousness, just as the internet age was starting to roll.
In May 2018, the legislation is being overhauled to meet the requirements of a much changed world, as the stricter General Data Protection Regulation (GDPR) comes into force. This represents a significant tightening of the rules, combined with much greater penalties for breaches – both financial and penal.
Many organisations are unaware of this change. A recent survey by Cloud Security firm Netskope found that of 2,000 UK adults, 63% had never heard of the GDPR, while under 10% had detailed knowledge of the new legislation.
With limits being removed from fines and the possibility of jail sentences for senior managers, it’s important that businesses and other organisations that handle sensitive personal data, such as unions, are aware of the implications of the new legislation.
Data protection legislation identifies some personal data as being ‘sensitive’, in that it requires additional protection when held by organisations. These sensitive areas include information such as sexuality, religion and union membership.
This makes it even more important for organisations who hold this type of data to prepare for the changes ahead. So what are the main changes being made? Well, one of the key objectives behind the new legislation is to give people greater control on how their data is being used. For example, websites will now be expected to require affirmative rather than passive acceptance of terms and conditions that affect their users' data.
Online forms requesting personal data will require a check box to confirm consent. Organisations will need to provide greater transparency around where they store data, what they use it for, and when they delete it. There will be greater rights to request information in a timely manner, and a new ‘right to be forgotten’, where data must be erased upon request where it is no longer serving a purpose.
Another important change is the introduction of unlimited fines. Previously, a risk-based approach could be taken, as fines were capped, but this will no longer be the case I’ve come across some very questionable practices in the past, where lack of knowledge was used as a defense.
In future, the stricter approach will see potentially huge fines and even prison sentences for similarly poor practice. Business and other organisations should take note and start planning now.